I've observed that HttpServletRequest.isUserInRole() always returns false (regardless of the argument given) when called from an unsecured resource, even if the user has already been authenticated during the session. Similarly, getUserPrincipal() always returns null under these circumstances.

I've seen several posts regarding this topic, and I'm curious if the JBoss development team is convinced that it works correctly. I think it's pretty clear from the servlet spec that once a user is authenticated, these methods should reflect this. I didn't see any exclusions regarding unsecured pages. And if there is any doubt, you can always check the reference implementation -- Tomcat 4.1.29 standalone returns the same values for these functions regardless of whether invoked in the context of a secured or unsecured page. In fact, I've never seen another servlet container that handles this the way JBoss does.

The JBoss behavior is problematic for any web app that tailors the content of unsecured pages depending on the authenticated role of the user. For instance, you may want a JSP to omit links to secured resources on a page if the viewer is not authorized to access them anyway.

Has this issue been reviewed by the development team, and is any action planned?

AFAIK tomcat 5.x standalone invokes this behaviour as well, PITA that it may be.

While I mostly hold the servlet spec team & tomcat (& increasingly the JBoss) developers in high regard for the quality of their decisions, in this case it smacks to me of 'nanny-ism'.

I believe it is done in the cause of increased security, although I am not quite clear and haven't been able to get a clear answer out of anybody (but I'm still trying). I have even been trying to get hold of the servlet spec team contact address, but haven't got there yet.

I was using the default embedded Tomcat for JBoss 3.2.3, which is 4.1.29. I compared it with the same version of the standalone product, with which the behavior differs. According to the last post in the thread at http://www.jboss.org/index.html?module=bb&op=viewtopic&t=26355,something has been added to the 2.4 servlet spec that supports our position -- in section (SRV.12.10 Login and Logout) it says

"Being logged in to a web application corresponds precisely to there being a valid non-null value in getUserPrincipal method, discussed in SRV.12.3".

Under this, the current behavior of JBoss will be equivalent to forcibly logging out a user every time he goes from a secured to an unsecured page.

That is just your interpretation of the spec. It doesn't mention what should happen on pages that are not under any security constraint.

I have to admit though that I am not prepared to read the whole spec from back to front to find out if they do mention what should happen anywhere, because I'm pretty sure they do.

These guys interpret it, program their container and we use it.

As I said though, I am trying to find out more in order to understand why they are doing it. Once I understand why, if I still disagree, then I'll probably launch some sort of petition to get it changed. I knew I wasn't the only one affected, but just how many of us there are, I don't know.

"ahardy66" wrote:These guys interpret it, program their container and we use it.

What I like about JBoss is that it isn't just a dumb implementation of a spec. Fleury & Co can "do it right" no matter what the spec says.

It's pretty clear that the J2EE integrated security parts of the servlet spec are seriously deficient. I was making these exact same complaints four years ago and it's still not fixed. Just try implementing a "remember me" checkbox... you can't without bypassing the system entirely.